The federal Government Accountability Office has released a report detailing information security issues at the Internal Revenue Service, and among them are lax mainframe management monitoring.
This isn’t the first time the GAO has found issues with the IRS’ data centers and mainframes. Last year the GAO found 115 weaknesses in information security at the IRS. To the agency’s credit, 49 of them have been fixed. But this isn’t a two-year thing. There have been information security problems at the IRS for years.
According to the 30-page GAO report this year, the IRS”implemented controls for unauthenticated network access and user IDs on the mainframe,” “further limited access to its mainframe environment by limiting access to system management utility functions and mainframe console commands,” and “enhanced periodic reviews of mainframe configurations,” all of which were issues from last year’s report. Yet it’s not monitoring changes at one of its data centers’ mainframes:
IRS did not always effectively monitor its systems. For example, IRS had not configured security software controls to log changes to datasets that would support effective monitoring of the mainframe at one of its data centers.
IRS did not fully implement its policies for managing changes to its systems. Specifically, IRS did not maintain or enforce a baseline configuration for one data center’s mainframe system, which supports the revenue accounting system of record and other applications. In addition, IRS used an unsupported software package that was not current and thus vulnerable to attack. Specifically, certain IRS servers were running an outdated version of software that was no longer supported by the vendor and, therefore, could not be patched against a known vulnerability. As a result, IRS has limited assurance that system changes are being properly monitored and that its systems are protected against new vulnerabilities.
I was going to try to come up with a joke here combining Benjamin Franklin’s quote about the only thing certain in life are death and taxes, and the phrase “no taxation without representation,” but I couldn’t seem to make it gel. If you have any ideas, let me know. I’ll put it in and throw an attaboy your way.